Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth/Sessions: Unable to set cookie in development #140

Closed
dthyresson opened this issue Feb 28, 2025 · 4 comments · Fixed by #151
Closed

Auth/Sessions: Unable to set cookie in development #140

dthyresson opened this issue Feb 28, 2025 · 4 comments · Fixed by #151

Comments

@dthyresson
Copy link

I followed the sessions starter and was able to setup sessions, the store and DO bingings.

I could tell in my local wrangler that the DO were being saved/stored on login.

However, the request didn't have the cookie set so I was never properly logged in when in development.

After some digging, I found that if I patched createSessionCookie so the cookie was not Secure (ie, needed https), then cookies were properly set, loaded from the request and auth behaved as expected.

export const createSessionCookie = ({
  sessionId,
  maxAge,
}: {
  sessionId: string;
  maxAge?: number | true;
}) => {
  const isViteDev =
    typeof import.meta.env !== "undefined" && import.meta.env.DEV;

  return `session_id=${sessionId}; Path=/; HttpOnly; ${isViteDev ? "" : "Secure; "}SameSite=Lax${
    maxAge != null
      ? `; Max-Age=${maxAge === true ? MAX_SESSION_DURATION / 1000 : maxAge}`
      : ""
  }`;
};

Perhaps something like this could work or maybe better yet some way of defining cookie props in setupSessionStore(env)?
@justinvdm
Copy link
Collaborator

Thanks @dthyresson! I'm not sure why we haven't run into this for our own local development, but needing to not have Secure in dev does make sense.

I'll make a PR with both changes (no Secure in dev + flexibility to define cookie for store)

@dthyresson
Copy link
Author

Thanks @dthyresson! I'm not sure why we haven't run into this for our own local development, but needing to not have Secure in dev does make sense.

I'll make a PR with both changes (no Secure in dev + flexibility to define cookie for store)

Thanks!

I forgot to note that I use Safari and perhaps they have more restrictive rules? Though I believe I tried Chrome as well.

@justinvdm justinvdm mentioned this issue Mar 9, 2025
Merged
@justinvdm
Copy link
Collaborator

@dthyresson done! Will release shortly. We'll still need to document this, but for now here's an example of how to define how to create cookies:

const sessions = defineDurableSession({
  // ...
  cookieName: "user_session",
  createCookie: ({ name, sessionId, maxAge }) => `${name}=${sessionId}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=${maxAge ?? (7 * 24 * 60 * 60)}`
});

@justinvdm
Copy link
Collaborator

Released in 0.0.7!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Cookies should not be Secure in dev redwoodjs/sdk
2 participants
@dthyresson @justinvdm